Wednesday, 6 August 2014

All objects in Active
Directory (e.g., users, groups, OUs and group policy objects) are
structured as per the AD’s schema of object classes and properties.
Active Directory objects can be fairly complex due to the nature of
its associated attributes. If even one attribute gets omitted or
disturbed, then other network applications or systems could fail
which rely on that particular attribute. Adding to that every time an
object is changed, different events are recorded and therefore it is
important to find all the events that are related to changes.

Enabling audit on Active
Directory objects is must. However, you got to note that audit
settings vary slightly in various versions of Windows. Therefore, in
case if you have a mixed environment, just be double sure to consult
each version’s documentation for appropriate audit settings.

Windows Server 2008 Auditing Change

Before Windows 2008 Server, auditing could just allow you to monitor that a value has
changed. It would not tell you what the value was before the change
was performed. In fact, auditing on Windows Server 2003 R2 doesn’t
actually provide any decent information to make any use of the events
which are recorded in the security event log.

But, things are lot more
different in Windows Server 2008. Windows Server 2008 facilitates
administrator with the ability to record changes to AD objects. You
could very well know about what the value of the object was, and what
it is now. In fact, in Windows Server 2008 the auditing policy is
configurable for four subcategories:

Directory Service Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service
Replication

Enabling Auditing changes to AD Objects

Now, one can very well
enable auditing on single object, or OU level, or Domain level.

3. Click on View and
make sure that Advanced Features is enabled. In
case, it is not enabled then click on it to place a check next to it.

4. Right click on any of the
Organizational Units you want to audit. In our example- let us
consider that we are going to audit Users, and after
this click on Properties section.

5. Click the Security tab.

Note: If the
Security tab is not available, just try to ensure that the
option Advanced Features is checked
underthe View menu.

6. Click on Advanced.

7. Click the Auditing
tab, then click Add.

8. Under Enter the object name
to select:, type in Authenticated Users and
click Ok.

In the next window under Apply
onto:, select Descendant User Objects. Under
Access, check the box next to Write all
properties and click Ok.

9. Click Ok until you
are out of any dialog boxes.

This way you can very
well configure the change auditing for complete Active Directory
domain. In fact, you could see the Security event logs for anything
the changes happened in every AD objects.

Nevertheless, you got to
take care of one important point. Auditing can actually be very time
consuming and too many audit entries could ultimately affect Your DC
performance. It should always be compromise between actual
requirement of detailed auditing information and performance of your
DC. Moreover, as the audit data remains on the domain controllers, it
may just not always be used as a reliable audit trail of
administrator actions because administrators can erase or modify any
file on the system. In addition, Windows Server 2008 does not
provide any real reporting or analysis capabilities for the Windows
security log.

In order to safe-guard
Active Directory, real-time monitoring is must as it could help you
to identify the high impact, suspicious or prohibited changes, and
ideal way to achieve this by taking help of third party Active
Directory auditor such as LepideAuditor for Active Directory
software. The tool allows you to perform real time monitoring and get
access to reports to monitor the specific objects.

Summary

Enabling audit on Active
Directory objects is must. Windows Server 2008 provides some native
functionality for auditing changes, but in spite of that significant
gaps and limitations remain. To safe-guard Active Directory,
real-time monitoring is must and best way to do it is by using third
party Active Directory auditing tool.